in Vulerability Open Source iOS

'The biggest' *OS problem in 2018

It's March 2018 when I'm writing this post. From day to day, Apple's security is improved - we have Kernel Patch Protection, Secure Enclave Processor (now even on macOS with Touch Bar), GateKeeper and many other security features. On the other hand, only in the last half of the year some trivial bugs were found that led to password disclosure. It's seems like password leaks may be currently the most serious, from PR perspective, *OS problem.

For instance, let's recall CVE-2017-7149 - password leakage via hint:
CVE-2017-7149 password leaking
Source: https://www.macrumors.com/

Another example may be finding (finally fixed!) where macOS was storing newly created encrypted volume password in logs.
APFS password in logs
Source https://www.mac4n6.com/

Shown examples refer to macOS. What about iOS? We can't just plug an external drive in and encrypt it. Instead of this we have custom apps that sometimes have to save some passwords secret data in Keychain.

If you are a developer - remember just one simple thing

Don't log secret data on production environment

During my work, I was auditing a Cordova App and then I saw plain text password right in the logs. I talked to the developer and it proved that Cordova doesn't support Keychain by itself. One of the most popular Keychain plugin (also used by this developer) is https://github.com/ionic-team/cordova-plugin-ios-keychain.

The guilty one was of course the NSLog function ;-)
NSLog in the plugin

I have reported it and the bug is now fixed (CVE-2018-1000123).